TL;DR
- Venus Protocol (BNB Chain, Compound V2 fork) exploited for $5.07M, $2.15M bad debt
- Attacker spent 9 months accumulating via Tornado Cash → Aave → open market
- Bypassed supply cap via donation attack (direct transfer to vToken contract)
- Code4rena flagged this exact vector in 2023. Team dismissed it.
- Same exploit class hit ZKSync deployment for $717K just 12 months earlier
- Researcher William Li spotted it in real-time, shorted for $15K The Vulnerability Every Compound V2 fork inherits this. Supply caps only in mint(): function mint(uint256 mintAmount) external { require(totalSupply + mintAmount <= supplyCap, "Cap exceeded"); } // Bypass: THE.transfer(address(vTHE), 36_000_000e18);
Direct transfers inflate exchange rate (contractBalance / vTokenSupply) without new vTokens. Collateral: $3.3M → $12M (3.81×).
The 9-Month Timeline
- Jun 2025: 77 Tornado Cash → 7,447 ETH (~$16.29M)
- Jun 2025 — Mar 2026: Aave → borrow $9.92M → accumulate THE (84% of cap)
- Mar 15, 2026: Donation transfers → 367% of cap → recursive borrow → $5.07M extracted
- Result: $2.15M bad debt The Fix uint256 public totalManagedAssets; function _beforeTokenTransfer(address from, address to, uint256 amount) internal { if (to == address(this)) { totalManagedAssets += amount; require(totalManagedAssets <= supplyCap, "Cap exceeded"); } }
Takeaways
- Supply cap enforcement must cover ALL paths
- On-chain surveillance should flag accumulation patterns
- Take audit findings seriously
- If you're forking Compound V2, you have this bug Sources: Venus Post-mortem, Code4rena 2023, The Block, Quill Audits Tags: #DeFi #Security #SmartContracts #BNBChain #Compound
Top comments (0)